]>
Commit | Line | Data |
---|---|---|
79a37326 MS |
1 | /* |
2 | * "$Id$" | |
3 | * | |
4 | * TLS check program for CUPS. | |
5 | * | |
6 | * Copyright 2007-2015 by Apple Inc. | |
7 | * Copyright 1997-2006 by Easy Software Products. | |
8 | * | |
9 | * These coded instructions, statements, and computer programs are the | |
10 | * property of Apple Inc. and are protected by Federal copyright | |
11 | * law. Distribution and use rights are outlined in the file "LICENSE.txt" | |
12 | * which should have been included with this file. If this file is | |
13 | * file is missing or damaged, see the license at "http://www.cups.org/". | |
14 | * | |
15 | * This file is subject to the Apple OS-Developed Software exception. | |
16 | */ | |
17 | ||
18 | /* | |
19 | * Include necessary headers... | |
20 | */ | |
21 | ||
22 | #include "cups-private.h" | |
23 | ||
24 | ||
25 | /* | |
26 | * 'main()' - Main entry. | |
27 | */ | |
28 | ||
29 | int /* O - Exit status */ | |
30 | main(int argc, /* I - Number of command-line arguments */ | |
31 | char *argv[]) /* I - Command-line arguments */ | |
32 | { | |
33 | http_t *http; /* HTTP connection */ | |
34 | const char *server = argv[1]; /* Hostname from command-line */ | |
35 | int port = 631; /* Port number */ | |
36 | const char *cipherName = "UNKNOWN";/* Cipher suite name */ | |
37 | ||
38 | ||
39 | if (argc < 2 || argc > 3) | |
40 | { | |
41 | puts("Usage: ./tlscheck server [port]"); | |
42 | puts(""); | |
43 | puts("The default port is 631."); | |
44 | return (1); | |
45 | } | |
46 | ||
47 | if (argc == 3) | |
48 | port = atoi(argv[2]); | |
49 | ||
50 | http = httpConnect2(server, port, NULL, AF_UNSPEC, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL); | |
51 | if (!http) | |
52 | { | |
53 | printf("%s: ERROR (%s)\n", server, cupsLastErrorString()); | |
54 | return (1); | |
55 | } | |
56 | ||
57 | #ifdef __APPLE__ | |
58 | SSLCipherSuite cipher; | |
59 | char unknownCipherName[256]; | |
60 | int paramsNeeded = 0; | |
61 | const void *params; | |
62 | size_t paramsLen; | |
63 | OSStatus err; | |
64 | ||
65 | if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr) | |
66 | { | |
67 | printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err); | |
68 | httpClose(http); | |
69 | return (1); | |
70 | } | |
71 | ||
72 | switch (cipher) | |
73 | { | |
74 | case TLS_NULL_WITH_NULL_NULL: | |
75 | cipherName = "TLS_NULL_WITH_NULL_NULL"; | |
76 | break; | |
77 | case TLS_RSA_WITH_NULL_MD5: | |
78 | cipherName = "TLS_RSA_WITH_NULL_MD5"; | |
79 | break; | |
80 | case TLS_RSA_WITH_NULL_SHA: | |
81 | cipherName = "TLS_RSA_WITH_NULL_SHA"; | |
82 | break; | |
83 | case TLS_RSA_WITH_RC4_128_MD5: | |
84 | cipherName = "TLS_RSA_WITH_RC4_128_MD5"; | |
85 | break; | |
86 | case TLS_RSA_WITH_RC4_128_SHA: | |
87 | cipherName = "TLS_RSA_WITH_RC4_128_SHA"; | |
88 | break; | |
89 | case TLS_RSA_WITH_3DES_EDE_CBC_SHA: | |
90 | cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"; | |
91 | break; | |
92 | case TLS_RSA_WITH_NULL_SHA256: | |
93 | cipherName = "TLS_RSA_WITH_NULL_SHA256"; | |
94 | break; | |
95 | case TLS_RSA_WITH_AES_128_CBC_SHA256: | |
96 | cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256"; | |
97 | break; | |
98 | case TLS_RSA_WITH_AES_256_CBC_SHA256: | |
99 | cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256"; | |
100 | break; | |
101 | case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: | |
102 | cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"; | |
103 | paramsNeeded = 1; | |
104 | break; | |
105 | case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: | |
106 | cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"; | |
107 | paramsNeeded = 1; | |
108 | break; | |
109 | case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: | |
110 | cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"; | |
111 | paramsNeeded = 1; | |
112 | break; | |
113 | case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: | |
114 | cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; | |
115 | paramsNeeded = 1; | |
116 | break; | |
117 | case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: | |
118 | cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256"; | |
119 | paramsNeeded = 1; | |
120 | break; | |
121 | case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: | |
122 | cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256"; | |
123 | paramsNeeded = 1; | |
124 | break; | |
125 | case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: | |
126 | cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"; | |
127 | paramsNeeded = 1; | |
128 | break; | |
129 | case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | |
130 | cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; | |
131 | paramsNeeded = 1; | |
132 | break; | |
133 | case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: | |
134 | cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256"; | |
135 | paramsNeeded = 1; | |
136 | break; | |
137 | case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: | |
138 | cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256"; | |
139 | paramsNeeded = 1; | |
140 | break; | |
141 | case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: | |
142 | cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"; | |
143 | paramsNeeded = 1; | |
144 | break; | |
145 | case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | |
146 | cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; | |
147 | paramsNeeded = 1; | |
148 | break; | |
149 | case TLS_DH_anon_WITH_RC4_128_MD5: | |
150 | cipherName = "TLS_DH_anon_WITH_RC4_128_MD5"; | |
151 | paramsNeeded = 1; | |
152 | break; | |
153 | case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: | |
154 | cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"; | |
155 | paramsNeeded = 1; | |
156 | break; | |
157 | case TLS_DH_anon_WITH_AES_128_CBC_SHA256: | |
158 | cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256"; | |
159 | paramsNeeded = 1; | |
160 | break; | |
161 | case TLS_DH_anon_WITH_AES_256_CBC_SHA256: | |
162 | cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256"; | |
163 | paramsNeeded = 1; | |
164 | break; | |
165 | case TLS_PSK_WITH_RC4_128_SHA: | |
166 | cipherName = "TLS_PSK_WITH_RC4_128_SHA"; | |
167 | break; | |
168 | case TLS_PSK_WITH_3DES_EDE_CBC_SHA: | |
169 | cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA"; | |
170 | break; | |
171 | case TLS_PSK_WITH_AES_128_CBC_SHA: | |
172 | cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA"; | |
173 | break; | |
174 | case TLS_PSK_WITH_AES_256_CBC_SHA: | |
175 | cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA"; | |
176 | break; | |
177 | case TLS_DHE_PSK_WITH_RC4_128_SHA: | |
178 | cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA"; | |
179 | paramsNeeded = 1; | |
180 | break; | |
181 | case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: | |
182 | cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"; | |
183 | paramsNeeded = 1; | |
184 | break; | |
185 | case TLS_DHE_PSK_WITH_AES_128_CBC_SHA: | |
186 | cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA"; | |
187 | paramsNeeded = 1; | |
188 | break; | |
189 | case TLS_DHE_PSK_WITH_AES_256_CBC_SHA: | |
190 | cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA"; | |
191 | paramsNeeded = 1; | |
192 | break; | |
193 | case TLS_RSA_PSK_WITH_RC4_128_SHA: | |
194 | cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA"; | |
195 | break; | |
196 | case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: | |
197 | cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"; | |
198 | break; | |
199 | case TLS_RSA_PSK_WITH_AES_128_CBC_SHA: | |
200 | cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA"; | |
201 | break; | |
202 | case TLS_RSA_PSK_WITH_AES_256_CBC_SHA: | |
203 | cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"; | |
204 | break; | |
205 | case TLS_PSK_WITH_NULL_SHA: | |
206 | cipherName = "TLS_PSK_WITH_NULL_SHA"; | |
207 | break; | |
208 | case TLS_DHE_PSK_WITH_NULL_SHA: | |
209 | cipherName = "TLS_DHE_PSK_WITH_NULL_SHA"; | |
210 | paramsNeeded = 1; | |
211 | break; | |
212 | case TLS_RSA_PSK_WITH_NULL_SHA: | |
213 | cipherName = "TLS_RSA_PSK_WITH_NULL_SHA"; | |
214 | break; | |
215 | case TLS_RSA_WITH_AES_128_GCM_SHA256: | |
216 | cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256"; | |
217 | break; | |
218 | case TLS_RSA_WITH_AES_256_GCM_SHA384: | |
219 | cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384"; | |
220 | break; | |
221 | case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: | |
222 | cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; | |
223 | paramsNeeded = 1; | |
224 | break; | |
225 | case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: | |
226 | cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; | |
227 | paramsNeeded = 1; | |
228 | break; | |
229 | case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: | |
230 | cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256"; | |
231 | paramsNeeded = 1; | |
232 | break; | |
233 | case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: | |
234 | cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384"; | |
235 | paramsNeeded = 1; | |
236 | break; | |
237 | case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: | |
238 | cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"; | |
239 | paramsNeeded = 1; | |
240 | break; | |
241 | case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: | |
242 | cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"; | |
243 | paramsNeeded = 1; | |
244 | break; | |
245 | case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: | |
246 | cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256"; | |
247 | paramsNeeded = 1; | |
248 | break; | |
249 | case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: | |
250 | cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384"; | |
251 | paramsNeeded = 1; | |
252 | break; | |
253 | case TLS_DH_anon_WITH_AES_128_GCM_SHA256: | |
254 | cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256"; | |
255 | paramsNeeded = 1; | |
256 | break; | |
257 | case TLS_DH_anon_WITH_AES_256_GCM_SHA384: | |
258 | cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384"; | |
259 | paramsNeeded = 1; | |
260 | break; | |
261 | case TLS_PSK_WITH_AES_128_GCM_SHA256: | |
262 | cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256"; | |
263 | break; | |
264 | case TLS_PSK_WITH_AES_256_GCM_SHA384: | |
265 | cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384"; | |
266 | break; | |
267 | case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: | |
268 | cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; | |
269 | paramsNeeded = 1; | |
270 | break; | |
271 | case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: | |
272 | cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; | |
273 | paramsNeeded = 1; | |
274 | break; | |
275 | case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: | |
276 | cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"; | |
277 | break; | |
278 | case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: | |
279 | cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"; | |
280 | break; | |
281 | case TLS_PSK_WITH_AES_128_CBC_SHA256: | |
282 | cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256"; | |
283 | break; | |
284 | case TLS_PSK_WITH_AES_256_CBC_SHA384: | |
285 | cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384"; | |
286 | break; | |
287 | case TLS_PSK_WITH_NULL_SHA256: | |
288 | cipherName = "TLS_PSK_WITH_NULL_SHA256"; | |
289 | break; | |
290 | case TLS_PSK_WITH_NULL_SHA384: | |
291 | cipherName = "TLS_PSK_WITH_NULL_SHA384"; | |
292 | break; | |
293 | case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: | |
294 | cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; | |
295 | paramsNeeded = 1; | |
296 | break; | |
297 | case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: | |
298 | cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; | |
299 | paramsNeeded = 1; | |
300 | break; | |
301 | case TLS_DHE_PSK_WITH_NULL_SHA256: | |
302 | cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256"; | |
303 | paramsNeeded = 1; | |
304 | break; | |
305 | case TLS_DHE_PSK_WITH_NULL_SHA384: | |
306 | cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384"; | |
307 | paramsNeeded = 1; | |
308 | break; | |
309 | case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: | |
310 | cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"; | |
311 | break; | |
312 | case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: | |
313 | cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"; | |
314 | break; | |
315 | case TLS_RSA_PSK_WITH_NULL_SHA256: | |
316 | cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256"; | |
317 | break; | |
318 | case TLS_RSA_PSK_WITH_NULL_SHA384: | |
319 | cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384"; | |
320 | break; | |
321 | case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | |
322 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; | |
323 | paramsNeeded = 1; | |
324 | break; | |
325 | case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: | |
326 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; | |
327 | paramsNeeded = 1; | |
328 | break; | |
329 | case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: | |
330 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; | |
331 | paramsNeeded = 1; | |
332 | break; | |
333 | case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: | |
334 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; | |
335 | paramsNeeded = 1; | |
336 | break; | |
337 | case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | |
338 | cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; | |
339 | paramsNeeded = 1; | |
340 | break; | |
341 | case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: | |
342 | cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; | |
343 | paramsNeeded = 1; | |
344 | break; | |
345 | case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: | |
346 | cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; | |
347 | paramsNeeded = 1; | |
348 | break; | |
349 | case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: | |
350 | cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; | |
351 | paramsNeeded = 1; | |
352 | break; | |
353 | case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | |
354 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; | |
355 | paramsNeeded = 1; | |
356 | break; | |
357 | case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: | |
358 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; | |
359 | paramsNeeded = 1; | |
360 | break; | |
361 | case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: | |
362 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; | |
363 | paramsNeeded = 1; | |
364 | break; | |
365 | case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: | |
366 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; | |
367 | paramsNeeded = 1; | |
368 | break; | |
369 | case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | |
370 | cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; | |
371 | paramsNeeded = 1; | |
372 | break; | |
373 | case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: | |
374 | cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; | |
375 | paramsNeeded = 1; | |
376 | break; | |
377 | case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: | |
378 | cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; | |
379 | paramsNeeded = 1; | |
380 | break; | |
381 | case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: | |
382 | cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; | |
383 | paramsNeeded = 1; | |
384 | break; | |
385 | default : | |
386 | snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher); | |
387 | cipherName = unknownCipherName; | |
388 | break; | |
389 | } | |
390 | ||
391 | if (cipher == TLS_RSA_WITH_RC4_128_MD5 || | |
392 | cipher == TLS_RSA_WITH_RC4_128_SHA) | |
393 | { | |
394 | printf("%s: ERROR (Insecure RC4 negotiated)\n", server); | |
395 | httpClose(http); | |
396 | return (1); | |
397 | } | |
398 | ||
399 | if ((err = SSLGetDiffieHellmanParams(http->tls, ¶ms, ¶msLen)) != noErr && paramsNeeded) | |
400 | { | |
401 | printf("%s: ERROR (Unable to get Diffie Hellman parameters - %d)\n", server, (int)err); | |
402 | httpClose(http); | |
403 | return (1); | |
404 | } | |
405 | ||
406 | if (paramsLen < 128 && paramsLen != 0) | |
407 | { | |
408 | printf("%s: ERROR (Diffie Hellman parameters only %d bytes/%d bits)\n", server, (int)paramsLen, (int)paramsLen * 8); | |
409 | httpClose(http); | |
410 | return (1); | |
411 | } | |
412 | #endif /* __APPLE__ */ | |
413 | ||
414 | printf("%s: OK (%s)\n", server, cipherName); | |
415 | ||
416 | httpClose(http); | |
417 | ||
418 | return (0); | |
419 | } | |
420 | ||
421 | ||
422 | /* | |
423 | * End of "$Id$". | |
424 | */ |